forked from dependabot/dependabot-core
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile.updater-core
126 lines (104 loc) · 5.87 KB
/
Dockerfile.updater-core
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
FROM ubuntu:20.04
LABEL org.opencontainers.image.source="https://github.com/dependabot/dependabot-core"
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ENV DEBIAN_FRONTEND="noninteractive" \
LC_ALL="en_US.UTF-8" \
LANG="en_US.UTF-8"
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
# dev dependencies for CI
build-essential \
curl \
zlib1g-dev \
libgmp-dev \
unzip \
# VCS section
git \
git-lfs \
bzr \
mercurial \
# needed to sign commits
gnupg2 \
# Installs certs in dependabot-action and CLI
ca-certificates \
# used to check if a file is binary in the VendorUpdater
file \
# used by Ruby to parse YAML
libyaml-dev \
locales \
&& locale-gen en_US.UTF-8 \
&& rm -rf /var/lib/apt/lists/*
ARG USER_UID=1000
ARG USER_GID=$USER_UID
RUN if ! getent group "$USER_GID"; then groupadd --gid "$USER_GID" dependabot ; \
else GROUP_NAME=$(getent group $USER_GID | awk -F':' '{print $1}'); groupmod -n dependabot "$GROUP_NAME" ; fi \
&& useradd --uid "${USER_UID}" --gid "${USER_GID}" -m dependabot \
&& mkdir -p /opt && chown dependabot:dependabot /opt && chgrp dependabot /etc/ssl/certs && chmod g+w /etc/ssl/certs
USER dependabot
ENV DEPENDABOT_HOME="/home/dependabot"
WORKDIR $DEPENDABOT_HOME
# For users to determine if dependabot is running
ENV DEPENDABOT=true
# Disable automatic pulling of files stored with Git LFS
# This avoids downloading large files not necessary for the dependabot scripts
ENV GIT_LFS_SKIP_SMUDGE=1
# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-amd64.tar.gz"
RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
COPY --chown=dependabot:dependabot omnibus omnibus
COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependabot-updater/
COPY --chown=dependabot:dependabot common/Gemfile common/dependabot-common.gemspec common/
COPY --chown=dependabot:dependabot common/lib/dependabot.rb common/lib/dependabot.rb
COPY --chown=dependabot:dependabot bundler/Gemfile bundler/dependabot-bundler.gemspec bundler/
COPY --chown=dependabot:dependabot cargo/Gemfile cargo/dependabot-cargo.gemspec cargo/
COPY --chown=dependabot:dependabot composer/Gemfile composer/dependabot-composer.gemspec composer/
COPY --chown=dependabot:dependabot docker/Gemfile docker/dependabot-docker.gemspec docker/
COPY --chown=dependabot:dependabot elm/Gemfile elm/dependabot-elm.gemspec elm/
COPY --chown=dependabot:dependabot git_submodules/Gemfile git_submodules/dependabot-git_submodules.gemspec git_submodules/
COPY --chown=dependabot:dependabot github_actions/Gemfile github_actions/dependabot-github_actions.gemspec github_actions/
COPY --chown=dependabot:dependabot go_modules/Gemfile go_modules/dependabot-go_modules.gemspec go_modules/
COPY --chown=dependabot:dependabot gradle/Gemfile gradle/dependabot-gradle.gemspec gradle/
COPY --chown=dependabot:dependabot hex/Gemfile hex/dependabot-hex.gemspec hex/
COPY --chown=dependabot:dependabot maven/Gemfile maven/dependabot-maven.gemspec maven/
COPY --chown=dependabot:dependabot npm_and_yarn/Gemfile npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
COPY --chown=dependabot:dependabot nuget/Gemfile nuget/dependabot-nuget.gemspec nuget/
COPY --chown=dependabot:dependabot pub/Gemfile pub/dependabot-pub.gemspec pub/
COPY --chown=dependabot:dependabot python/Gemfile python/dependabot-python.gemspec python/
COPY --chown=dependabot:dependabot swift/Gemfile swift/dependabot-swift.gemspec swift/
COPY --chown=dependabot:dependabot terraform/Gemfile terraform/dependabot-terraform.gemspec terraform/
# prevent having all the source in every ecosystem image
RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler swift; do \
mkdir -p $ecosystem/lib/dependabot; \
touch $ecosystem/lib/dependabot/$ecosystem.rb; \
done
WORKDIR $DEPENDABOT_HOME/dependabot-updater
# Install Ruby from official Docker image
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb`
COPY --from=ruby:3.1.4-bullseye --chown=dependabot:dependabot /usr/local /usr/local
# When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle update --lock --bundler`
# Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install.
# This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions.
ARG BUNDLER_V2_VERSION=2.4.17
# We had to explicitly bump this as the bundled version `0.2.2` in ubuntu 20.04 has a bug.
# Once Ubuntu base image pulls in a new enough yaml version, we may not need to
# explicitly manage this. However, if we do opt to pull it back out, see all changes
# required in https://github.com/dependabot/dependabot-core/pull/7112
ARG LIBYAML_VERSION=0.2.5
RUN curl -sL https://pyyaml.org/download/libyaml/yaml-$LIBYAML_VERSION.tar.gz -o libyaml.tar.gz && \
mkdir -p $DEPENDABOT_HOME/src/libyaml && \
tar -xvf libyaml.tar.gz -C $DEPENDABOT_HOME/src/libyaml && \
rm libyaml.tar.gz
RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \
rm -rf /var/lib/gems/*/cache/* && \
bundle config set --global build.psych --with-libyaml-source-dir=$DEPENDABOT_HOME/src/libyaml/yaml-$LIBYAML_VERSION && \
bundle config set --local path 'vendor' && \
bundle config set --local frozen 'true' && \
bundle config set --local without 'development' && \
bundle install && \
rm -rf ~/.bundle/cache
COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME
ENV PATH="$DEPENDABOT_HOME/bin:$PATH"
ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
USER root
CMD ["bin/run"]